First known US example of a gas-pump skimmer that uses SMS to exfiltrate data

Originally published at: http://boingboing.net/2017/07/27/140-character-criminals.html

1 Like

I’ve had my card skimmed twice so far this summer. Both times at gas stations. It’s a problem and this version that eliminates a removal for data is a bigger problem.

Lesson: Cash for gas.

4 Likes

This is worrisome. Can someone confirm that contactless payment systems are more secure than actually inserting your credit card and entering a PIN? Thanks.

1 Like

Works every time

kidrock

1 Like

It’s the gas station owners, they’ve had the same amount of time to convert that my stores have and they haven’t done it. 100+ stores at $500 a terminal x4 registers + installation (has to be bolted down with security screws). It cost a pretty penny. Even now, it’s not as secure as the EU system (chip & PIN, something you have + something you know).

I think the reason why is because the big oil companies raised a stink about it and got a extension from PCI requirements.

Yes and no.

Your credit card info is still stored unencrypted on the mag stripe on the back of the card for backwards compatibility.

That’s why when you insert it into the chip slot, it only goes in part way.

Edit: Sorry, you said contactless - misunderstood.

Payments that rely on static information need to go away.

I haven’t done all my research yet and I’m sure it has its own liabilities but I plan to move to Android Pay once I get a phone capable of supporting it. My understanding is that it transfers temporary information to the merchant that would be pretty useless to someone capturing it (unless I suppose they can make use of it immediately?).

However it’s not usable everywhere a credit card is so it’s not a perfect solution.

Or at a minimum, use credit and not debit. Even with debit cards, if you don’t put in the pin, it’s processed as a credit card, which for whatever reason has a lot more protection for the consumer.

1 Like

I can confirm that any payment systems that use Dynamic Data Authentication (DDA) are far more secure than mag stripes, which only have Static Data Authentication (SDA). Mag stripes are encoded by the bank before they’re mailed to you, and they never change (that’s why they’re called static.) If you skim one today, you can replay the same skim again and again and again. But contactless payment systems use DDA, which means the message has a dynamic number that changes with every authorization request (the chip uses strong cryptography to generate a new dynamic number for every transaction.) Once the bank receives an authorization request made using DDA, they verify the dynamic number is correct, then they prevent that same number from being accepted for a second payment.

Contactless cards and mobile phone payment systems usually communicate using Near Field Communications (NFC); chip cards use the little copper pads; both use DDA.* A thief can still skim them and learn the account number, but the skimmed data is worthless without the ability to generate the DDA because the secret code to create the DDA is buried deep inside the chip.**

A mag stripe card that requires a PIN can still easily be skimmed. Many skimming installations discovered on ATMs and gas pumps have included a hidden camera or tampered keypad that records the customer typing the PIN. PIN is barely a speed bump to the thieves.

Finally, both Chip and PIN and Chip and Signature are immune to skimming. The only security difference is that if a mugger grabs your wallet he can spend your Signature card until you cancel it, but he won’t know your PIN so that card is worthless to him.

The US needs to get over this stupid infatuation with the mag stripes, and finish converting to chip based payments. You can blame every retailer who whines “it will cost me money to convert my cash registers.” Their mouthpiece organization, the NRF, is still dragging their feet like a four-year-old going to get a vaccination. Even Visa is reluctant to push chip too hard, because anything that slows a transaction down makes the customer realize “this card is stupid, cash is faster and easier than this.” And that attitude is bad for Visa’s business.

* If a bank is completely and utterly incompetent, they are technically not prohibited from using SDA with their contactless systems, but they’ll get seriously spanked by PCI fines and lawsuits. SDA on NFC cards was more common when they first started cutting over to smart cards, but I’m unaware of any banks that still do this today.

** A relay attack is technically possible, but these are much harder than simple skimming and are highly unlikely today.

1 Like

Thank you Drone for the thorough answer. Much appreciated.

This topic was automatically closed after 5 days. New replies are no longer allowed.